Trojan:DOS/Alureon.E - Info To Clean

Welcome to Major Geeks!


Please download MIalt.bat and save it to your Desktop. Then right click on the Env.bat and select Run As Administrator. This will run reasonably fast and will add a log to C:\MGlogs.zip. Attach the updated MGlogs.zip file.

Did you knowingly install the below items?

O2 - BHO: ShopAtHome.com Toolbar - {66516A07-F617-488A-90CF-4E690CFB3C5F} - C:\Program Files\ShopAtHome\tbcore3U.dll
O2 - BHO: Freecause Shopping BHO - {91917DC6-93B9-4E62-B2D6-D39C9618C418} - C:\Program Files\Shop to Win 4\ShoppingBHO.dll
O2 - BHO: HelloWorldBHO - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files\Common Files\Homepage Protection\HomepageProtection.dll
O3 - Toolbar: ShopAtHome.com Toolbar - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Program Files\ShopAtHome\tbcore3U.dll

 

Almost forgot!! Please also do the below.

Now please also download MBRCheck to your desktop.


See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

And after looking further into your logs, I'm betting that you are missing things from your Start Menu, All Programs, Desktop, Quick Launch etc which you have not mentioned yet.

Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Did that help with your missing items?

 

Yes of course it does! I have not given you a fix for it yet which is why it is still there. We needed more info first and we also need to restore your missing info.

Do you have your Vista boot DVD so that we can use it to boot to the System Recovery Environment to repair your MBR? We will need to do this after we fix your infection which is in your partition table. A fake/infected partition has been added to your hard disk. See your partition list below. The one in red is the problem.

Code:

Partition Disk #0, Partition #0 
Partition Size 366.35 GB (393,365,758,464 bytes) 
Partition Starting Offset 32,256 bytes 
[COLOR=red][B]Partition Disk #0, Partition #1 [/B][/COLOR]
[B][COLOR=red]Partition Size 2.95 MB (3,088,384 bytes) [/COLOR][/B]
[B][COLOR=red]Partition Starting Offset 400,085,360,640 bytes [/COLOR][/B]
Partition Disk #0, Partition #2 
Partition Size 6.26 GB (6,719,569,920 bytes) 
Partition Starting Offset 393,365,790,720 bytes

Also in preparation for our next steps, you have to make the below bootable CD containing G-Parted which we will use to remove the infected partition

• Please download: gparted-live-0.11.0-7.iso (114 MB)
• Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
• If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Just make the CD for now. Don't do anything else with it yet. I need to know if you have your Vista DVD or another way to boot to the Recovery Environment before we continue

 

You're welcome.

Because your infection had not yet made itself the active boot partition and thus simply deleting the infected partition worked okay. In many cases, these infections are making themselves the active boot partition and changing the MBR too. Thus are instructions cover this case too by having users repair the MBR and the boot process afterwards. If we did not give instructions for this and simply deleted the partition, many people would not know what to do afterwards when their PC would no longer boot into Windows.

You should fix the real problem drive using G-Parted and if the real Windows boot partition is still the active partition, you may be okay and not have to do anything else.
If the PC does not boot, you will have to boot into the System Recovery Environment and run the below commands

• bootrec /fixmbr
• bootrec /fixboot
• exit

After this is finished run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that took care of the infected partition. I notice the WMIC is not running. Did someone disable this on purpose?

Is the PC having anymore malware problems?

 

The service may be disabled and stopped. Run the below newer version of MGtools and it may show us if the Windows Management Instrumentation service is stopped.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip